Phishing gets all the press when it comes to email account exploits. This is because phishing is the attack vector for over 90% of all cyber-attacks. But there are other ways that bad actors, cyber-criminals, and state-sponsored cyber-warriors use email that don’t involve phishing at all, and the outcomes of these exploits can be as bad or even worse than phishing. Today and Wednesday we will take a look at these exploits and learn how they work.
- Password Hash Replay – When you create a password, it is encrypted using a one-way process called hashing. The hash is stored on the server you need to authenticate to. Password “cracking” involves creating hashes of all possible letter combinations until the hash they create matches the has of your password. But it is also possible to just capture the hash by using a malicious email link and a fake login page, and replay the hash to log into the server. If this is your mail server, the attacker has just logged into your email account.
- Solution – use longer passwords, block outbound authentication logons at the firewall
- Password Spraying – Most brute-force password cracking is done offline. The reason that brute force password cracking will not work online is that most login servers have rules that lock the account after 5 or 6 erroneous attempts in a certain length of time, like a minute. Password spraying is one way to crack a password online. It requires a long list of user names and runs all the user names with a single password. Once the names are exhausted, a different password is tried. This will generally get around login lockout rules.
- Solution – Longer passwords coupled with two-factor authentication can help.
- Web Forms – Often an email link may direct the target to malicious or fraudulent login screens, where passwords may be harvested or malware downloaded and installed on the target’s computer.
- Solution – Be sure that you are on the genuine website by checking the URL that shows in the browser address bar.
- Password Recovery – Attackers will use the “I forgot my password” recovery link to recover or reset a target’s password. These recovery methods are often less robust and easily compromised.
- Solution – Never truthfully answer the “secret questions” used to reset your password, because it can be very easy to find the answers with a little Google research. Make something up, and save the answers in your password manager.
- SMS PIN Recovery – There are exploits that attempt to intercept your SMS two-factor or recovery code. Sometimes the attacker will try to get you to reply with the code via SMS. The code should only be entered in a web page. But sometimes attackers will set up a fake 2FA screen to capture your 2FA code.
- Solution – Make sure you are connecting to authentic login and 2FA web pages. Using device based 2FA methods such as the YubiKey or Titan USB authenticator can prevent this exploit from working.
On Wednesday we will look at five more ways that email can be used as an attack vector.Share